I’m working with Camundo and I noticed something that I would like clarification, in case someone can help me.
Why the API engine allows us to get tasks with non-existent users and I can also get tasks with a user that doesn’t belong to the group that the task was assigned to.
Does the API not have any kind of validation?
from my experience, the use cases for a tasklist and the API differs a lot. I started a long time ago with the assumtion, that a tasklist application should be as restrictive as possible to guide the task workers. But real life projects showed, that the tasks users want a lot of flexibilty to get their tasks done.
You can use more restrictive task queries to show only certain tasks to the users. And double-check the state of a task, as it is done in the Camunda Tasklist. Here you can only complete a task, if you have claimed it before. But this logic is implemented in the Tasklist.
Yes. Internally, the assignee and candidate users and groups are just Strings saved in a column in the database.
If you assign a task to a non existing user, no one will find the task to work on it, but the task itself is not lost, just hidden. On the other hand, “potato” can steel a task from somebody else. It is a requirement engineering descision, how to handle these cases. For some groups they are acceptable, others have to avoid them…